HELLO AND WELCOME! Before you can post your question, you'll have to register -- it's completely free and registered users see less advertising! If you just want to browse through the existing questions, just select the forum that you want to visit from the selection below. Otherwise, click here to register!. We highly recommend that you print a copy of our Guide for New Members. Enjoy!

There is a remotely exploitable vulnerability in the handling of large
chunks of data in web servers that are based on Apache source code.
This vulnerability is present by default in configurations of Apache
web servers versions 1.3 through 1.3.24 and versions 2.0 through
2.0.36. The impact of this vulnerability is dependent upon the
software version and the hardware platform the server is running on.

Re:Apache bug found - CERT advisory

[quote author=pam link=board=5;threadid=3833;start=0#38553 date=1024427917]
I saw a story about that. It seems there is a bit of controversy as to how the vulnerability was revealed.
[/quote]

I saw the same story at security focus. Got to love this -----&gt;

On Monday, Internet Security Systems (ISS) posted their discovery to the BugTraq mailing list, without knowing the full extent of the flaw, and without giving Apache.org time to investigate and develop a patch or even propose a workaround. To sugar the pill ISS had developed its own patch, which Apache later said doesn't address all the issues. Another point in the ISS advisory which Apache disputes is a claim that only installations on Windows are
vulnerable
....
There was a posting at Slashdot suggesting that ISS was using the premature advisory as a publicity stunt; and while there's undoubtedly a lot to that, we have to wonder if there isn't something even creepier behind it. Here we see ISS publishing a vulnerability and a lame patch without so much as consulting the developer of an open-source product, but we've never seen them try to pull a stunt like that with Microsoft, say.

Re:Apache bug found - CERT advisory

Description
Apache HTTP Server contains a vulnerability in the handling of certain chunk-encoded HTTP requests that may allow remote attackers to execute arbitrary code and a denial of service (DoS).

Chunked encoding permits the transfer of fragments of dynamically produced content of varying sizes by including a size indicator as well as information for the recipient to verify receipt of the complete message.

For Apache versions 1.2.2 through 1.3.24, this vulnerability may allow remote attackers to execute arbitrary code on Windows platforms. In addition, Apache has reported that a similar attack may allow the execution of arbitrary code on both 32-bit and 64-bit UNIX-based systems.

For Apache versions 2.0 through 2.0.36, the buffer overflow condition correctly detected however, an attempted exploit may cause the child process to exit depending on a variety of factors, including the threading model supported by the vulnerable system. If multi-threading is used, it may lead to a denial of service attack against the Apache Web server because all concurrent requests currently served by the affected child process will be lost.

Multi-threading is a technique that allows an independent program to perform more than one task at seemingly the same time. For example, a program that loads a data file while also reading user input is said to have two computational units and is therefore multi-threaded.

This vulnerability affects Apache Web server versions that run on many of the various Windows, BSD, Linux, and UNIX releases. Users are encouraged to contact their vendor to determine whether they are affected and acquire appropriate fixes.

Symantec Enterprise Solutions
NetRecon, Symantec's vulnerability assessment tool, has a check for vulnerable Apache HTTP Server versions included in Security Update 10, which will be available through LiveUpdate.

NetProwler, Symantec's network-based intrusion detection tool, includes detection for attempts to exploit this issue in Security Update 18, which is available for download through the NetProwler update capabilities. Click here for further information about NetProwler Security Update 18.